Cyware Weekly Threat Intelligence - March 28–01

Weekly Threat Briefing • Apr 1, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Apr 1, 2022
The Good
There is always a reason to celebrate when cybercriminals get busted. This week, the FBI dismantled a notorious cybercrime ring that stole millions of dollars from American businesses through business email compromise schemes. On a different note, we saw several positive developments in the form of international agreements on cybersecurity. For instance, Singapore and the U.S. agreed to strengthen their cooperation through a new annual cybersecurity dialogue.
Under “Operation Eagle Sweep,” the FBI dismantled a major cybercrime operation engaged in business email compromise schemes. Starting in September 2021, the authorities arrested 65 suspects in the United States, Nigeria, South Africa, Cambodia, and Canada.
The Australian government sets aside approximately $7.5 billion in funds for boosting cybersecurity and intelligence capabilities within the country.
A team of researchers designed a new system to tackle concerns related to invasive tracking. Dubbed Privid, the system enables video analytics in a privacy-preserving way.
U.S. lawmakers proposed a new bill that would focus on strengthening the cybersecurity posture of the American healthcare and public health sector. The Healthcare Cybersecurity Act aims to enhance collaboration between the CISA and the HHS.
The EU and the U.S. reached an agreement on reviving trans-Atlantic data flows deal. The deal would ensure “predictable, trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”
Singapore and the U.S. will be holding a yearly dialogue as part of strengthening cooperation on combating cyberthreats while promoting resilience and securing critical infrastructure.
The Bad
The healthcare sector remains a favorite target of cyberattackers. This week a health plan provider for law enforcement officials, LEHB, disclosed falling prey to a ransomware attack that lead to huge data loss. Even the education sector has come under the attackers' crosshairs as the personal data of hundreds of thousands of NYC students was leaked. While looking for new jobs, beware of getting phished as thousands of fake job offers are being circulated by scammers.
The personal information of roughly 820,000 current and former New York City public school students was affected in a breach that occurred in January after threat actors gained unauthorized access to an online grading system and attendance system.
Hackers are compromising WordPress sites to use visitors’ browsers as a channel to launch DDoS attacks on Ukrainian websites belonging to government agencies, think tanks, recruitment sites for the International Legion of Defense of Ukraine, and banking.
Researchers are warning against active exploitation of the Log4Shell vulnerability, to deliver backdoors and cryptocurrency miners onto vulnerable VMware Horizon servers. The campaign leverages remote monitoring software packages, Atera or Spashtop, and the Sliver backdoor.
A threat actor dubbed RED-LILI was linked to an ongoing large-scale supply chain attack campaign that targets the NPM package repository. Researchers found nearly 800 malicious packages that were published in the repository via a fully-automated system that enabled the attacker to bypass the verification process.
Threat actors have been found sending nearly 4,000 phishing emails related to fake jobs to trick victims into sharing their personal data or committing money laundering. In order to look convincing, these phishing emails include logos for corporate brandings, spoofed university addresses, Google Forms, and fake checks.
A ransomware attack at Shutterfly affected the personal information of its employees. The attack occurred on December 3, 2021, after which the Conti ransomware group had leaked around 7.05GB of stolen data on its site. Apart from stealing employee data, the gang had also encrypted over 4,000 devices and 120 VMware ESXi servers.
Cyber attackers hacked the Ronin network of Axie Infinity, the blockchain-based game, and stole more than $620 million in cryptocurrency. They used hacked private keys to forge fake withdrawals.
The Lapsus$ gang announced its return on Telegram by leaking confidential information stolen from software firm Globant. Around 70GB of source code and administrator passwords associated with the firm’s Atlassian suite, stolen by threat actors, is available on their Telegram channel.
Law Enforcement Health Benefits (LEHB) disclosed a ransomware attack that occurred last year. According to the organization, attackers encrypted files on September 14, 2021. Among the files affected include the personal information of more than 85,000 users.
Hive ransomware gang has claimed to have stolen 850,000 PII records from Partnership HealthPlan of California (PHC). The stolen data includes names, social security numbers, and addresses of users. Around 400GB of stolen files from the healthcare organization’s server has been posted on Hive’s dark website.
Kaspersky unmasked North Korea state-backed hackers distributing an infected DeFi wallet for cryptocurrency assets. The campaign, possibly conducted by Lazarus, has the capability to gain full access to the targeted systems.
Phishers are abusing Microsoft Azure’s Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials. Researchers noticed that threat actors leveraged custom branding and web hosting features to host static landing phishing pages. Each landing page automatically gets its own secure page padlock in the address bar due to the *.1.azurestaticapps.net wildcard TLS certificate.
Two vulnerabilities have been found affecting Rockwell Programmable Logic Controllers. They are tracked as CVE-2022-1161 and CVE-2022-1159. While the former affects numerous versions of Rockwell’s Logix Controllers, the latter impacts several versions of its Studio 5000 Logix Designer application. The flaws can allow attackers to launch Stuxnet-style attacks on PLCs.
**New Threats **
The last couple of months has been a fruitful time for data wipers. We found the seventh new wiper malware of the year in a new discovery this week. Dubbed AcidRain, it is raining attacks on modems and routers. A new conversation hijacking campaign was found propagating the IcedID trojan. You have heard about conventional obfuscation; now get ready for IPfuscation. This novel tactic is being used by Hive ransomware.